5. The Approach to Cybersecurity: Cyber Risk Management 103 Threats in general can also be natural or man-made. A natural threat is a threat due to nature, and a man-made threat is a threat caused by humans. Cybersecurity threats are limited to just man-made threats because cyber attacks are initiated by human beings. Therefore, while floods, fires, and earthquakes can be significant natural threats to an organization, and they can impact computer systems and data, strictly speaking, they are information technology (IT), not cybersecurity, threats. A threat can also be intentional or accidental. Hackers deliberately attack organizations— cybersecurity threats are always intentional. Accidental threats certainly exist and can also cause harm to computer systems and data, but these are not cybersecurity threats. For example, an employee might drop his laptop, spill coffee on his keyboard, or even accidentally delete important files—all of these accidents are IT threats, not cybersecurity threats. Even in the cases where an employee inadvertently views another employee’s private files or unwittingly publishes customer PII on the Internet, these are not strictly cybersecurity threats because they are not performed by a cyber threat actor with malicious intent. While the distinction between intentional and accidental threats may seem pedantic, it reinforces the centrality of the human adversary to cybersecurity. And importantly, it does not impact cybersecurity practice. Cybersecurity measures put in place to protect against insider threats address accidental threats, too. If a well-meaning employee can accidentally cause a data breach, then an insider threat could easily do so and probably much worse. Therefore, in terms of cybersecurity risk management, a cyber threat is an action taken with malicious intent that discloses, alters, or denies access to a cyber asset. Cyber threats are not limited to cyberspace only. A cyber threat can come through cyberspace or physical space and can cause undesirable consequences in either cyberspace or physical space or both. For example, installing malware remotely on an industrial control system (ICS) through a computer network that causes physical equipment to overheat and explode is an example of a threat through cyberspace that causes undesirable consequences in physical space. On the other hand, igniting a fire in the server room that causes an organization’s website to go down is an example of a threat through physical space that causes undesirable consequences in cyberspace (and physical space, too, in this case). A cyber threat actor is a person that poses a cyber threat. As part of the cyber risk management process, cyber threats should be enumerated. Chapter 3 described several different types of cyber threat actors, including criminal hackers, hacktivists, nation state hackers, and nuisance hackers. These categories should be examined from both an insider threat and external hacker perspective to understand who may be motivated to attack an organization. As a general rule, cyber threat actors are numerous in cyberspace and pose a serious threat to every organization.
RkJQdWJsaXNoZXIy MTM4ODY=